Amazon S3 server-side encryption (SSE) allows users to encrypt data at rest. The company is required to encrypt the sensitive records while they are stored, which refers to encryption at rest. AWS Key Management Service (KMS) managed keys (SSE-KMS), customer-provided keys (SSE-C), and Amazon S3-managed keys (SSE-S3) are all valid encryption options for data at rest. The correct answer is 'Enabling server-side encryption with Amazon S3-managed encryption keys (SSE-S3)' because it directly pertains to data at rest. Enabling encryption in transit (by utilizing HTTPS for data transfer) does not apply to data at rest, and ‘AWS Shield Advanced’ is primarily used for protection against Distributed Denial of Service (DDoS) attacks, not for encrypting data.